Tell ISPConfig to stop trying to initialize iptables

[Quasdunk]

I've installed ISPConfig 3 on a vServer on which I'm not able to use iptables.

I believe I was able to get fail2ban running via a php-scrip accessing the server's web-interface and adding/deleting the firewall-rules there (the script is working fine, but I haven't seen any ban-events triggered yet, which is very unusual, because we could observe break-in attempts permanently on the old server).

The ISPConfig-log, however, keeps telling me the same thing over and over again:

/var/log/ispconfig/cron.log:

Quote:

iptables v1.4.12: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
ip6tables v1.4.12: can't initialize ip6tables table `filter': Permission denied (you must be root)
Perhaps ip6tables or your kernel needs to be upgraded.

How can I make it stop - or maybe even fix it?

[falko]

I think you can configure fail2ban to not use iptables.

[Quasdunk]

Quote:

Originally Posted by falko

I think you can configure fail2ban to not use iptables.

I think fail2ban should actually be working fine.
As a workaround, I made the following changes in /etc/fail2ban/action.d/iptables-multiport.conf:

Quote:

[Definition]
actionstart =
#actionstart = iptables -N fail2ban-<name>
# iptables -A fail2ban-<name> -j RETURN
# iptables -I <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>

actionstop =
#actionstop = iptables -D <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
# iptables -F fail2ban-<name>
# iptables -X fail2ban-<name>

actioncheck =
#actioncheck = iptables -n -L <chain> | grep -q fail2ban-<name>

actionban = php -f /etc/fail2ban/firewallapi.php add INPUT "<ip>" DROP
#actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP

actionunban = php -f /etc/fail2ban/firewallapi.php delete INPUT "<ip>" DROP
#actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP

So basically, everything is commented out and the actionban and actionunban are handled by a PHP-script which queries against the vServer-API. These changes were recommended by my hosting provider.
After changing it as shown above, fail2ban was able to start again (I was getting a 300 error before). Here's what /var/log/fail2ban.log says:

Quote:

fail2ban.jail : INFO Creating new jail 'ssh'
fail2ban.filter : INFO Added logfile = /var/log/auth.log
...
fail2ban.jail : INFO Creating new jail 'pureftpd'
fail2ban.filter : INFO Added logfile = /var/log/syslog
...
fail2ban.jail : INFO Creating new jail 'dovecot-pop3imap'
fail2ban.filter : INFO Added logfile = /var/log/mail.log
...
fail2ban.jail : INFO Jail 'ssh' started
fail2ban.jail : INFO Jail 'pureftpd' started
fail2ban.jail : INFO Jail 'dovecot-pop3imap' started

So fail2ban seems to be running correctly, BUT: It doesn't seem to care about the filters, because nothing happens (and nothing is logged) even when I try to provoke a ban on purpose. And I suppose it has something to do with ISPConfig endlessly reporting that one error over and over again in /var/log/ispconfig/cron.log:

Quote:

iptables v1.4.12: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
ip6tables v1.4.12: can't initialize ip6tables table `filter': Permission denied (you must be root)
Perhaps ip6tables or your kernel needs to be upgraded.

But if fail2ban is running, what else could be causing that error?

[till]

The errors are most likely caused by the ispconfig monitor which checks your server every 5 minutes.

Search for iptables in the file /usr/local/ispconfig/server/lib/classes/monitor_tools.inc.php